Hacking techniques automation

1
Hacking techniques automation

• Yarochkin Fyodor.
• Guard-Info

Meder Kydyraliev O0o.nu sec. Singapore
2
I will talk about my research interests during
past year or so.. So, why automate hacking ?-
design hackers personal agent- leverage time
use- other uses of automation
3
Agenda

• Agents the concept of Hackers personal
  Assistant and how I am going to get it working
• YAWATT concepts, knowledge base, planning
• Implementation - YAWATT, httpbee, pbounce
• Notes on distributed approach
• Notes on automation
• Hacking web applications with httpbee and YAWATT
• Maintaining control of compromised hosts with
  pbounce

4
Agents

• Why agents
• Why Hacker personal Assistant
• How our framework is to be designed

5
Agent inner workings diagram(generic)
6
Inter Agent framework

• We have roles
• Facilator
• Requesting agents
• Service Agents
• Meta agents (used for planning)

7
Inter Agent framework diagram
8
Service agents

• Yawatt web analysis, data mining
• HttpBee swiss knife for web application testing
• Pbounce advanced tunneling

9
YAWATT focus is around web applications, why?

• HTTP/HTTPS services are very common and usually
  legimate (services that the company is usually
  aiming to provide)
• Web applications often are complex
• Often programmed by non-professionals
• System Administrators are not programmers and
  cant fix bad code.. Conclusion is..

10
the Web applications - the largest hole to get
through

• The code is bad
• Q/A not security oriented
• Must get product to market ASAP
• Firewalls are there but they cant help
• IDS are there but they are blind (HTTPS)
• Application firewalls - stop limited number of
  web application attacks (basic user input
  validation), but are useless when it comes to
  detection of logical vulnerabilities

11
Requirements to the framework

• Automated methods and tools to test security
• Ability to emulate hacker attacks (think like
  a hacker would do)
• Ability to extract, store and transfer knowledge
  from expensive security professionals (aka
  hackers) to cheap computer automation
• Ability to have real-time interaction with
  testing process

12
Software agents

• Autonomous functionality
• Cooperation capabilities
• Learning and knowledge management capabilities
• More to the feature wishlist
• Let human do what he can do faster and
• learn from human -gt knowledge transfer
• Deal with uncertainty in intelligent way

13
YAWATT design blocks

• YAWATT knowledge base - Efficient knowledge base
  for testing methods, knowledge about testing
  targets, infrastructure and so on implemented
  as
• Efficient planning abilities (work in progress)

14
Knowledge representation in YAWATT

• Ontology is represented with Time, Objects
  (hosts, networks, applications, urls, etc),
  Actions
• Shall be added beliefs (intuitive guessings)

15
YAWATT knowledge base

• Still in design process.
• Httpbee (working horse of yawatt, also an
  agent) talks to KB via API
• Knowledge can be accessed or added via set of
  requests
• TELL(X, Y)
• ASK(X)
• QUERY(X)
• (KB operates on entities which are objects
  within target network. An application, host,
  user, can be an entity, different entities may
  have different properties.
• Implementation single table is used to store
  entities and their types. Separate tables are
  used to keep properties of different agents

16
Planning in YAWATT

• Currently yawatt agent system is designed as
  centralized system httpbee instances talk to
  YAWATT server (which maintains KB)
• P2P architecture is in TODO
• Agent actions can be later planned, when KB is
  enriched with the data from human security
  analysts
• Inference engine/planner is at design stage
• (need to think how to represent analyst
  knowledge and actions to be taken in general form)

17
Details on tools of tradeYAWATT, httbee, pbounce
18
What we want to achieve

• Learning capabilities
• Control of software agents
• Intelligent data management
• Interesting Visualization (maybe?)
• Data aggregation, analysis (for reporting etc)

19
YAWATT one of learning methods is learning from
user sessions

• User sessions collections of users requests
  and responses (url, name/value pairs, session
  information and selective HTTP protocol data)
• Classified user session data include semantic
  classification of URL, parameters, responses and
  HTTP protocol data (server type, backend
  system(s) if visible, unusual HTTP headers
  detected and included)

20
YAWATT Automation

• Application content is learnt from user sessions
  (data feeders proxies, enumeration tools)
• Real-time content analysis with additional
  verification

21
YAWATT ideas on raw data classification (of
entities)

• User session data is classified by
• Semantic and functional classification of URL
• HTTP protocol classificators (server type,
  cookies ..)
• Session classificators
• Input data classification type, semantics
• Output classification (application error
  detection, redirects, bogus responses etc)

22
YAWATT real-time classification
23
YAWATT Testing process

• Testing with HTTPBee (introduced later)
• Testing with YAWATT Plugins (tests) could be
  executed during the collection of user session
  data if any of user session data triggers certain
  plugin
• Plugins (tests) are executed on demand, when user
  session data is completed

24
YAWATT Intelligence components

• Web application components (URL) classification
• Semantic classification for web application input
  data
• Use of Latent Semantic Indexing Algorithm in
  response analysis
• In response analyzers.
• Use of queries to external sources, search
  engines
• Generation of target-specific bruteforce
  dictionaries

25
YAWATTInput data classification
26
YAWATT Use of classified user session data
27
YAWATT Communication layer

• Originally odified version of spread toolkit used
  as base (www.spread.org)
• Replaced with Yawatt Data Excahnge Server,
  running over HTTP

28
YAWATT architecture
29
Arbitrary data collection (from YAWATT Database)

• Aside from application vulnerabilities, other
  things of interest are
• Email addresses, user ids that could be seen
  within web content
• Domain names (within web pages, comments, binary
  files, etc)
• Building target-oriented dictionary files (used
  by brute-force cracking modules)

30
How the targeted dictionaries for brute-force
attacks are generated

• A statistical information extraction method is
  applied
• Step 1Random similarly styled texts in the same
  language as the target application content, are
  analyzed and the statistical occurrence of each
  word is calculated
• Step 2Statistical occurrence of each word within
  the target website is calculated
• Step 3The dictionary is produced by selecting
  those words which probability produced in Step 1
  and Step 2 is significally different

31
YAWATT (hands on)

• You will need linux, burp proxy, YAWATT tarball.
• Start YAWATT Collector, start burp proxy with
  YAWATT plugin loaded. Start browsing
• If you see stuff running you can try ..

32
You can try to add your own plugin

• Add your plugin code on the fly (attack
  automation plugins via subscription mechanism,
  classification plugins etc)
• Cant be simpler

33
YAWATT visualization (work in progress) (show
actual application)
34
Introducing HTTPBee
35
HTTPBee

• High-performance threaded HTTP service testing
  tool. Designed as swiss-army-knife for HTTP
  services hacking
• Scriptable via LUA scripting engine
• API for sophisticated data analysis
• Command line (or daemon mode, later)
• Can be integrated with YAWATT (via scripts, or
  LUA API later)

36
HTTPBee scripting Engine

• Simple
• High-performance provided by HTTPBee code

37
HTTPBee API
38
HTTPBee API
39
HTTPBee output

• HttpBee 0.1-pre. (http//o0o.nu)Started at
  2007-03-08 0120 CSTStarting up 3 scanning
  threads...GET /cmd.php?commandechoGOTTALOVETHEE
  XEC HTTP/1.0GET /cmd.php?fooechoGOTTALOVETHEEX
  EC HTTP/1.0GET /cmd.php?includeechoGOTTALOVETH
  EEXEC HTTP/1.0GET /cmd.php?file_incechoGOTTALO
  VETHEEXEC HTTP/1.0GET /cmd.php?harechoGOTTALOV
  ETHEEXEC HTTP/1.0GET /cmd.php?delechoGOTTALOVE
  THEEXEC HTTP/1.0GET /cmd.php?cmdechoGOTTALOVET
  HEEXEC HTTP/1.0GOT EXECUTION WITH REQUESTGET
  /cmd.php?commandechoGOTTALOVETHEEXEC
• Script execution completedall is doneWating for
  scanning process to stop..........................
  ..................................................
  ..................................................
  ..................................................
  ..................................................
  ..............................done at 2007-03-08
  0120 CST.Total execution time 12 seconds.

40
Experimenting with HTTPBee

• You can try to design your own scripting modules
• Analyst knowledge can be represented in form of
  such scripts

41
Introducing pbounce
Co-work with Meder Kydyraliev
42
What is pbounce

• Advanced port and connection forwarding tool.
• Connection encapsulation and multiplexing on
  demand through a single connection
• Pivot mode allows to pierce firewalls that
  allow outgoing connections only.
• Small binary footprint. Extremely portable
  (windows, unixes, binaries packaged)
• Remote command execution possibilities

43
Pbounce sample architecture

• Two instances of pbounce are required.
• LiMo instance should run on your machine
• PiMo (pivoting mode) instance should run on
  compromised system
• LiMo is the control center for PiMo pbounce
  instances.

44
PBounce sample architecture

• Pbounce infrastructure setup

Internal system 192.168.0.10
LAN
Run pbounce in PiMo as Pbounce P R
XXX.XXX.XXX.XXX r 10000
firewall
internet
Your machine
Run pbounce in LiMo as Pbounce L 5000 r 10000
45
PBounce binding port

• Connect to port 5000 on your machine and issue
  command
• BIND 192.168.0.10 T 22 1022
• Port 1022 on your machine will be associated
• With port 22 on 192.168.0.10

46
PBounce other features

• If LiMo node dies, PiMo instance will continuesly
  try to establish connection
• PiMo instance may be scripted via external script
  to obtain LiMo address from external source (i.e.
  post to a newsgroup)
• Primitive data scrambling with k key is
  supported (this is not encryption. But
  obfuscation!)
• Pbounce supports HTTP proxy with CONNECT method
  availability (-F proxyIP, -f proxyport)

47
Code availability

• PBounce
• http//o0o.nu/meder/index.php?pgpbounce
• HTTPBee
• http//o0o.nu/httpbee
• YAWATT
• http//o0o.nu/YAWATT

48
Other research interests

• SS7 security
• Working on scanning tools
• Ruby binding for SCTP

49
Questions and Answers

• Sample questions, pick one ---------)
• Why another hacking tool?
• Can you do X too..?
• Can X be integrated too ..?
• This presentation is boring crap, any excuse ..? ?

50
Thanks

• Thanks for your patience
• Send me email if you like the stuff ?